That sounds like fud to me. Coinbase decided my account was left for dead, and contacted my state. It tooks several weeks of back and forth with coinbase, including multiple phone calls with support and sending pics of my id, etc before they let me access my account. I had my password etc, same phone. They wouldn't let me get my money out.

It's not FUD. They used 2FA to reset his coinbase password, then accessed it as him and drained the account.

On top of that they drained his bank account (also using 2FA) into the coinbase account, then drained that too. Coinbase has (or had at the time) elevated levels of trust that they just gave him, which allowed the hacker to immediately buy crypto with transferred funds. Then the hacker just transferred the crypto to another wallet.

so they used sms based 2fa. I had 2fa based on google authenticator (not sms), because of that attack vector. I only had a few thou dollars. But they decided google auth is not accepted anymore and I failed to login and reset it and so the result was locking my account for a year - until recently when I spent multiple days getting it reset. Thus my skepticism.

No one should allow/use text message based 2fa of course.

Correct, text-based 2FA is insecure. But coinbase allows it, and most banks offer it as the only option.

The link I posted basically describes exactly what happened to my buddy and how they pulled it off. T-Mobile + text-2FA + coinbase is a chain of weak links.